Manage NSG flow logs using Azure PowerShell

Important

On September 30, 2027, network security group (NSG) flow logs will be retired. As part of this retirement, you'll no longer be able to create new NSG flow logs starting June 30, 2025. We recommend migrating to virtual network flow logs, which overcome the limitations of NSG flow logs. After the retirement date, traffic analytics enabled with NSG flow logs will no longer be supported, and existing NSG flow logs resources in your subscriptions will be deleted. However, NSG flow logs records won't be deleted and will continue to follow their respective retention policies. For more information, see the official announcement.

Network security group flow logging is a feature of Azure Network Watcher that allows you to log information about IP traffic flowing through a network security group. For more information about network security group flow logging, see NSG flow logs overview.

In this article, you learn how to create, change, disable, or delete an NSG flow log using Azure PowerShell. You can learn how to manage an NSG flow log using the Azure portal, Azure CLI, REST API, or ARM template.

Prerequisites

Register insights provider

Microsoft.Insights provider must be registered to successfully log traffic flowing through a network security group. If you aren't sure if the Microsoft.Insights provider is registered, use Register-AzResourceProvider to register it.

# Register Microsoft.Insights provider.
Register-AzResourceProvider -ProviderNamespace 'Microsoft.Insights'

Create a flow log

  1. Get the properties of the network security group that you want to create the flow log for and the storage account that you want to use to store the created flow log using Get-AzNetworkSecurityGroup and Get-AzStorageAccount respectively.

    # Place the network security group properties into a variable.
    $nsg = Get-AzNetworkSecurityGroup -Name 'myNSG' -ResourceGroupName 'myResourceGroup'
    
    # Place the storage account properties into a variable.
    $sa = Get-AzStorageAccount -Name 'myStorageAccount' -ResourceGroupName 'myResourceGroup'
    

    Note

    • If the storage account is in a different subscription, the network security group and storage account must be associated with the same Azure Active Directory tenant. The account you use for each subscription must have the necessary permissions.
  2. Create the flow log using New-AzNetworkWatcherFlowLog. The flow log is created in the Network Watcher default resource group NetworkWatcherRG.

    # Create a version 1 NSG flow log.
    New-AzNetworkWatcherFlowLog -Name 'myFlowLog' -Location 'chinaeast' -TargetResourceId $nsg.Id -StorageId $sa.Id -Enabled $true
    

Create a flow log and traffic analytics workspace

  1. Get the properties of the network security group that you want to create the flow log for and the storage account that you want to use to store the created flow log using Get-AzNetworkSecurityGroup and Get-AzStorageAccount respectively.

    # Place the network security group properties into a variable.
    $nsg = Get-AzNetworkSecurityGroup -Name 'myNSG' -ResourceGroupName 'myResourceGroup'
    
    # Place the storage account properties into a variable.
    $sa = Get-AzStorageAccount -Name 'myStorageAccount' -ResourceGroupName 'myResourceGroup'
    

    Note

    • The storage account can't have network rules that restrict network access to only Azure services or specific virtual networks.
    • If the storage account is in a different subscription, the network security group and storage account must be associated with the same Azure Active Directory tenant. The account you use for each subscription must have the necessary permissions.
  2. Create a traffic analytics workspace using New-AzOperationalInsightsWorkspace.

    # Create a traffic analytics workspace and place its properties into a variable.
    $workspace = New-AzOperationalInsightsWorkspace -Name 'myWorkspace' -ResourceGroupName 'myResourceGroup' -Location 'chinaeast'
    
  3. Create the flow log using New-AzNetworkWatcherFlowLog. The flow log is created in the Network Watcher default resource group NetworkWatcherRG.

    # Create a version 1 NSG flow log with traffic analytics.
    New-AzNetworkWatcherFlowLog -Name 'myFlowLog' -Location 'chinaeast' -TargetResourceId $nsg.Id -StorageId $sa.Id -Enabled $true -EnableTrafficAnalytics -TrafficAnalyticsWorkspaceId $workspace.ResourceId
    

Change a flow log

You can use Set-AzNetworkWatcherFlowLog to change the properties of a flow log. For example, you can change the flow log version or disable traffic analytics.

# Place the network security group properties into a variable.
$nsg = Get-AzNetworkSecurityGroup -Name 'myNSG' -ResourceGroupName 'myResourceGroup'

# Place the storage account properties into a variable.
$sa = Get-AzStorageAccount -Name 'myStorageAccount' -ResourceGroupName 'myResourceGroup'

# Update the NSG flow log.
Set-AzNetworkWatcherFlowLog -Name 'myFlowLog' -Location 'chinaeast' -TargetResourceId $nsg.Id -StorageId $sa.Id -Enabled $true -FormatVersion 2 

List all flow logs in a region

Use Get-AzNetworkWatcherFlowLog to list all NSG flow log resources in a particular region in your subscription.

# Get all NSG flow logs in China East region.
Get-AzNetworkWatcherFlowLog -Location 'chinaeast' | format-table Name

Note

To use the -Location parameter with Get-AzNetworkWatcherFlowLog cmdlet, you need an additional Reader permission in the NetworkWatcherRG resource group.

View details of a flow log resource

Use Get-AzNetworkWatcherFlowLog to see details of a flow log resource.

# Get the details of a flow log.
Get-AzNetworkWatcherFlowLog -Name 'myFlowLog' -Location 'chinaeast'

Note

To use the -Location parameter with Get-AzNetworkWatcherFlowLog cmdlet, you need an additional Reader permission in the NetworkWatcherRG resource group.

Download a flow log

The storage location of a flow log is defined at creation. To access and download flow logs from your storage account, you can use Azure Storage Explorer. Fore more information, see Get started with Storage Explorer.

NSG flow log files saved to a storage account follow this path:

https://{storageAccountName}.blob.core.chinacloudapi.cn/insights-logs-networksecuritygroupflowevent/resourceId=/SUBSCRIPTIONS/{subscriptionID}/RESOURCEGROUPS/{resourceGroupName}/PROVIDERS/MICROSOFT.NETWORK/NETWORKSECURITYGROUPS/{NetworkSecurityGroupName}/y={year}/m={month}/d={day}/h={hour}/m=00/macAddress={macAddress}/PT1H.json

For information about the structure of a flow log, see Log format of NSG flow logs.

Disable a flow log

To temporarily disable a flow log without deleting it, use Set-AzNetworkWatcherFlowLog with the -Enabled $false parameter. Disabling a flow log stops flow logging for the associated network security group. However, the flow log resource remains with all its settings and associations. You can re-enable it at any time to resume flow logging for the configured network security group.

Note

If traffic analytics is enabled for a flow log, it must disabled before you can disable the flow log.

# Place the network security group properties into a variable.
$nsg = Get-AzNetworkSecurityGroup -Name 'myNSG' -ResourceGroupName 'myResourceGroup'

# Place the storage account properties into a variable.
$sa = Get-AzStorageAccount -Name 'myStorageAccount' -ResourceGroupName 'myResourceGroup'

# Update the NSG flow log.
Set-AzNetworkWatcherFlowLog -Enabled $false -Name 'myFlowLog' -Location 'chinaeast' -TargetResourceId $nsg.Id -StorageId $sa.Id

Delete a flow log

To permanently delete an NSG flow log, use Remove-AzNetworkWatcherFlowLog command. Deleting a flow log deletes all its settings and associations. To begin flow logging again for the same network security group, you must create a new flow log for it.

# Delete the flow log.
Remove-AzNetworkWatcherFlowLog -Name 'myFlowLog' -Location 'chinaeast'

Note

Deleting a flow log does not delete the flow log data from the storage account. Flow logs data stored in the storage account follow the configured retention policy.